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Introduction and Purpose 


Public schools have a mandate to educate children in a way that is safe, 
effective, and cost efficient. The risks involved in achieving that mandate 
have become increasingly complex, and the need to manage those risks has 
never been greater. 

The emergence of widespread, interconnected risks, such as cyber risks and 
data management, infrastructure risks, privacy, the threat of terrorism, and 
workplace violence makes it clear that the nation’s public schools need a 
new approach to managing risk. Many of the most pressing risks and the 
uncertainties associated with achieving a school district’s key mission go 
beyond insurable risks or activities under the direct control of a school 
district; they now include a broader range of uncertainties. A broader 
approach to risk management is needed. 

The challenge for members of the Council of the Great City Schools is 
to identify best practices in managing risk, referred to in this paper as 
Enterprise Risk Management or ERM. The purpose of this white paper is 
to present key concepts of ERM and enhance the understanding of how to 
apply ERM to a K- 12 public school setting. 


Operationa[Risk Management and the Evolution of ERM 


The profession of risk management has been evolving since the late 1970s, 
when individuals responsible for purchasing insurance began to seek 
alternative ways to finance risks. The liability insurance crisis of the mid-80s, 
when the cost of insurance soared and availability diminished, furthered the 
development of self-insurance and other risk financing alternatives. In the 
decades that followed, the concepts of managing operational risks through 
training and prevention, claims and litigation management, and increasingly 
sophisticated risk financing structures flourished. 
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In the United States, operational risk management grew out of issues 
that related to safety practices and regulations, insurable risks, and the 
management of claims and loss prevention. Traditional concepts of 
operational risk management can include any or all of the following 
components: 

• Insurance coverage, such as workers’ compensation, property and liability 
(general, automobile, professional, school board legal, law enforcement) 

• Safety, loss prevention, or risk control 

• Claims management 

• Student and athletic accident programs 

• Employee benefits 

• Supplemental retirement programs 

Operational risk management views risk as bad and something to be 
minimized or mitigated. Treatment methods include reducing potential 
negative outcomes (through a variety of techniques, such as risk control, 
training, early intervention, and claims management), transferring the 
consequences (usually to a third party or an insurance company), or 
avoiding risk altogether (by not engaging in an activity, for example). 

These are effective treatment methods for managing threats that are 
predictable and within the direct control of schools. However, over the past 
40 years, the world of risk has changed dramatically. Natural catastrophes, 
terrorist events, and financial and global crises have increased the need for 
risk management solutions that go beyond risk financing and prevention. 

In addition, organizations that consider how to take risks as part of their 
overarching strategy, that is, choosing to take calculated risks in some 
cases, are organizations that have led the way to a broader approach to risk 
management or ERM. 
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The following illustration outlines the evolution of risk management over 
the past 30 years as it has expanded to become more strategic. 


“Traditional” 

Risk Management 

Advanced 

Risk Management 

Enterprise 

Risk Management 

Transactional in nature 

Focused on integrating 
risk functions 

Focused on strategy & 
prioritization 

• Purchase of insurance to 
cover risks 

• Greater use of alternative 
risk financing techniques 

• A wide range of analytical 
tools are used to identify 
and respond to key risks to 
mission and strategy 

• Hazard-based risk 
identification and controls 

• More proactive about 
preventing and reducing 
claims 

• A wide range of risks are 
considered - strategic, 
financial, operational, and 
reputational 

• Compliance issues 
addressed separately 

• Safety & emergency 
management are separate 
functions 

• Integrates risk-related 
functions such as claims 
management, contracts 
review, special events risk 
management, loss control/ 
prevention 

• Uses a broader definition of 
risk to include opportunities 
and focus on uncertainties 
to mission 

• Focus is on cheapest cost of 
insurance premiums 

• Cost allocation used to 
share costs and hold 
departments accountable 

• Helps manage growth, 
allocate capital and 
resources 

• Risk management is 
handled by individual 
departments 

• More collaboration among 
departments 

• Risks are prioritized by a 
broad group and owned by 
those with direct control 

• The risk manager is the 
insurance buyer 

• The risk manager may 
be the risk owner for the 
district 

• The risk manager is the risk 
facilitator and leader 

Risk is bad- 
focus is on 
transferring risks 

Risk is an expense - 
focus is on reducing 
the cost of risk 

Risk is uncertainty- 
focus is on optimizing the 
management of risk to 
achieve goals 
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ERM as Described by ISO 31000 - 
and What It Means forDistrict Operations 


The risk management landscape changed significantly in the years between 
2004 and 2009. In 2004, Australia and New Zealand revised their standards 
for how to manage risk, and the Committee of Sponsoring Organizations 
(COSO) issued its ERM framework. Both occurrences were game changers 
in the practice of risk management. COSO, which represents audit and 
financial organizations, issued directives to internal auditors to assist in the 
identification, assessment, and treatment of all risk (strategic, operations, 
reporting, and compliance). 

At the same time, the Australian and New Zealand standards became 
the basis for the first international benchmarks in the practice of risk 
management, a practice that was created by risk experts from over 30 
countries around the world. In addition, ISO 31000, “Risk Management 
Principles and Guidelines,” was published in 2009 after four years of work 
by the International Standards Organization (ISO). 

Informed by these important publications and by the desire of many 
organizations to create a broader and more inclusive attitude towards risk, 
the practice of risk management expanded beyond insurable risks and 
finance mechanisms into how to consider risks as a part of organizational 
strategy and mission. This new practice emphasized that everyone has a 
role to play in managing risk, and that a consistent and comprehensive 
approach — and indeed the purpose of managing risk — is to help districts 
focus on and achieve their mission and strategic objectives. 

ISO 3 1 000 was published to guide organizations of any size or type 
to implement a broader approach to risk management. The document 
amounts to a guidance standard rather than a compliance standard, because 
it recognizes that each organization needs to scale and tailor its framework 
for and process of risk management to its particular operations and mission. 
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The ISO standard defines risk management as a coordinated effort to 
direct and control all activities related to risk. It defines risk as the effect of 
uncertainty on objectives. It therefore ties the management of risk to what is 
most important to the organization. 

ERM recognizes that there are times when accepting (or embracing) and 
working with risk (in service of a goal or objective) is appropriate. For 
example, school district leaders may decide upon three unique strategic 
goals to reduce the achievement gaps among students. There are risks 
associated with those goals that may increase the likelihood of success as 
well as risks that may negatively affect the outcome. ERM would help 
leaders consider and balance the uncertainties that surround possible 
outcomes and prioritize them in a way that would best support positive 
outcomes and minimize threats. As risks are identified, prioritized, and 
evaluated, leaders can determine how risks will be managed - and by whom. 
The entire process is meant to sharpen one’s aim and focus and enhance the 
achievement of strategic goals. 

ERM envisions that eventually all decisions made by an organization will 
utilize a consistent and inclusive process that will consider objectives, 
uncertainties, and possible outcomes before a decision is made. This 
risk-based decision-making process begins with a discussion of context, 
which helps participants understand the importance of the decision in 
relation to school district mission, strategy, and goals. Leaders will also 
consider the operational context (which includes the legal and regulatory 
environment, the financial and cultural climate, and so on), and the process 
for doing so will engage appropriate internal and external stakeholders. 

The process considers both positive and negative outcomes (or threats and 
opportunities related to a decision) and evaluates the organization’s ability 
to manage identified risks. The entire process is characterized by continuous 
communications, along with monitoring and revisions to maintain risks 
within an organization’s level of tolerance. The process also identifies risk 
owners, establishes reporting lines, and considers budget implications. 
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Key Differences and Challenges 


In larger school districts, like the Great City Schools, traditional risk 
management is usually led by a trained risk professional and a small staff. 
Claims management, loss prevention, underwriting, and benefits may 
be provided by in-house staff or outsourced to external service providers. 
Sometimes, specific risk-related operations — such as employee benefits or 
workers’ compensation — may be handled by a separate department. 

In other cases, risk management becomes an additional duty assigned to 
existing personnel (such as emergency management, procurement, audit, 
former administrators or human resource personnel). This practice can 
raise difficulties if those duties are secondary to other responsibilities or 
if technical and leadership skills are lacking. This situation can also create 
too much costly reliance on outside experts, such as insurance brokers and 
consultants. 

The organizational location of the risk management function varies widely 
among school districts. A full-time risk manager may report to the school 
district’s chief financial officer, the director of human resources, or the legal 
department or may be a member of the superintendent’s cabinet or senior 
staff. To some extent, the importance that the organization gives to risk 
management is often reflected in the placement of the risk management 
position and its reporting protocols. 

Regardless of position or roles, risk managers who remain focused on 
operational risks typically develop excellent technical skills in risk financing, 
claims management, prevention, and risk control. However, the skills 
needed to advance ERM are more likely to focus more on communications 
and facilitation, strategic thinking, and leadership. A “traditional” risk 
manager may find that the lack of these skills limits participation in strategy 
setting or decision making at a broader more strategic level. As ERM 
engages in supporting strategy and opportunity, it becomes more closely 
linked to district management, decision making, and policy-setting across 
the entire district. This level of activity requires a far different skill set and 
organizational positioning to be effective. 
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A fully developed ERM program is often led by a chief risk officer 
(CRO), a position equal to other chief officers or senior staff. The CRO 
typically reports to top management, the school board’s audit committee, 
or sometimes, directly to the board itself. Although the authors of this 
paper are unaware of any public school district that currently employs a 
CRO, this is a growing practice among institutions of higher education 
and large public entity operations. There are a number of K-12 school 
districts (members of the Council of the Great City Schools) that are 
currently implementing ERM and whose risk managers are included on the 
superintendent’s senior staff. 

Two other significant differences between operational risk management 
and ERM are worth noting. One relates to the emphasis on risk ownership, 
which recognizes that the person who has direct control over a specific risk 
is the one best positioned to manage it. After key risks are identified by a 
broad group of stakeholders and prioritized in relation to a district’s goals 
and strategy, a risk owner is identified for each one. This is a shift away from 
one person (or department) holding risk management expertise to a practice 
akin to making everyone a risk manager. Training all employees on how to 
assess and handle risk and holding risk owners accountable for managing 
risk to within tolerable limits are hallmarks of an effective ERM program. 

Finally, in an ERM program, risk is always prioritized and considered in 
relation to organizational objectives. Risks to strategy and mission elevate 
the consideration and prioritization of risk. These considerations also assure 
that a district will be allocating resources appropriately, that is, to where 
they are most needed and will be most effective. This differs from a more 
traditional approach where risk is identified and evaluated according to its 
potential negative effects, insurability, or the ability of the organization to 
transfer or finance the risk. 
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Making the Business Case - 
One Schoo[District’s Example 


Although ERM is often described as ideally having a top-down approach 
with buy-in and directives from the superintendent and senior management, 
public schools are not always managed by a distinctly top-down approach. 
As a result, opportunities to grow ERM organically within an organization 
are possible. For example, in some districts, school sites are given wide 
autonomy in their budgeting, hiring, and instructional programming. 
Enterprise-wide risk can therefore be introduced around specific projects or 
strategic initiatives. 

One example comes from the San Francisco Unified School District 
(SFUSD). In San Francisco, all schools partner with community-based 
organizations (CBOs) to provide much-needed ancillary support such 
as tutoring, childcare, mentoring, reading programs, and so on. SFUSD 
works with hundreds of organizations that provide services to students and 
families, organizations that might present liabilities and risks to the school 
district. Because these services typically are free, they fall outside the normal 
contracting process that has been established by the district. In an effort to 
create better structures and supports for these groups that would result in 
maximum success for both the district and the various CBOs, an ERM lens 
was applied. 

At the outset, the goal of the district’s work was to align the needs of 
its schools with the available resources provided by the CBOs. First, 
an existing strategic tool was used (ERM works best when one doesn’t 
reinvent the wheel but uses what an organization already has in place). The 
Results Oriented Cycle of Inquiry (ROCI) was a model for continuous 
improvement that was already being used by SFUSD. This tool was used 
by a cross-functional staff team and became the basis for articulating the 
process and workflow dealing with CBOs. Out of that process came staffing 
and software for developing and tracking MOUs. This formed the basis for 
identifying and outlining contractually the expectations of each party, as 
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well as the process for background clearances, appropriate drug screening, 
TB testing, insurance, etc. 

In addition to articulating operational components of the work with 
CBOs, what arose from the process was an opportunity identified by school 
site leaders to look at each CBO working in their schools and make key 
decisions about whether that work aligned with their priorities in their 
Balanced Score Cards (BSC). The BSC was the second strategic tool used 
by the schools to outline their vision and goals. In some cases, it was 
determined that, while the work of a CBO was worthwhile, it did not align 
with a particular site’s most urgent needs and goals, and the relationship was 
consequently discontinued or redirected to better align with those goals. 

This process allowed each principal to assess the “risks” of having more 
CBOs than he or she could manage or to engage CBOs with a mission that 
was more aligned with the school’s mission. This process helped principals 
focus on key services they needed from CBOs that would better support the 
achievement of goals set by their school community. 

From a risk management perspective, what began as a focus on compliance 
(MOUs, insurance, etc.), expanded into an ERM model that provided 
support for strategic objectives and services to better serve the needs of 
students. It resulted in a process that was broader than simply managing 
risks through insurance or other similar risk tools. 

Other examples of programs that could benefit from the broader lens of 
ERM include special education, student health programs, and business 
services such as accounting or human resources. 
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What's the Return on Investment? 


One opportunity to promote the concept of ERM in large urban school 
districts involves making a business case for the idea and establishing what 
senior management can expect in terms of return on investment (ROI). The 
processes of determining ROI expectations and clarifying key performance 
indicators need to be specific to a district’s needs. 

Some examples of ROI for ERM include: 

• A defined risk management framework and a specific approach to 
managing all risks specifically described for bond-rating agencies. 

• Reciprocal benefits and coordination between internal audit and risk 
management activities and sub-functions. 

• Better education for board members and management on key risks to 
help them fulfill their oversight and governance roles. 

• Collaborative work on risk-related problems (such as the CBO process 
used by SFUSD). 

• Regular internal and external environmental scans for existing and 
emerging risks. 

• Intentional engagement of managers at multiple layers to identify 
risk concerns and establish connections with other aspects of business 
operations and strategy. 

• Avoidance of penalties and fines for lack of compliance as key risks are 
identified and managed. 

• Development of an overall register of key risks for the district and 
tracking of treatment and plans. 

• Treatment plans for prioritized risks provide a credible defense in the face 
of litigation. 

• Gaining the confidence and trust of key stakeholders through 
communications about the risk management program - demonstrated 
through engagements, reports, and activities and verified through surveys 
and feedback. 
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A broader conversation and identification of risk — including emerging risks 
and trends — will increase preparedness and ability to respond. The risk 
assessment process is more pro-active than a post-crisis reaction mode and 
considers best case/worst case scenarios and responses. 


Potential Action Items for Implementing ERM 


ERM takes time to implement; it is often described as a three- to five- 
year endeavor. Although few (if any) districts would claim to have 
fully implemented ERM, many districts have begun to apply ERM 
incrementally. The following action steps, in conjunction with the Best 
Practices outlined in the Appendix, are intended to help districts create an 
ERM implementation plan. 


Action Item #1 - Create a Business Case 

Make a business case for implementing ERM. Along with clear messages 
about the benefits and potential ROI, this step can persuade key decision 
makers to support a broader approach to managing risk. The business case 
should be built to support what matters most and tied to strategy, goals, and 
objectives. 


Action Item #2 - Express Your Commitment to Risk Management 

The superintendent is responsible for stating the importance of managing 
risk and support for the district’s risk management framework and process. 
The message should clearly communicate that the district takes risk 
management seriously and that everyone is responsible for managing risk. 
Developing the risk management framework and process requires that 
senior management and the superintendent understand the evolution and 
importance of taking a broader approach to managing risk than has typically 
been the case. 
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Action Item #3 - Think About Structure 


ERM, as defined in ISO 31000, must be scaled and tailored. This step 
means that each district must consider the structure, staffing, and approach 
that would be the best fit for managing risks to its operations. Districts 
sometimes begin by creating an overall inventory of how risk is currently 
managed - in order to develop a plan for risk management to become more 
consistent, broader, and more integrated. Other options that can help a 
district develop a more tailored approach include creating a study group or 
advisory committee, launching a pilot project or case study, or hiring an 
ERM advisory or consultant. 

Action Item #4 - Describe How You Will Manage Risk 

Districts may define their risk management framework and process in a 
policy statement, administrative order, or simply through practice and 
protocol. The description of how and why one manages risk should 
delineate a sustainable framework, the process for assessing risks, and the 
methods for continual improvement. Issues such as roles, accountability, 
and performance measurement should be addressed. This may include 
clarifying the roles of managers, risk owners, and employees in identifying 
and managing risk, as well as establishing key performance indicators, 
key risk indicators, and risk criteria. The ISO 31000 standard provides 
excellent detail on how to establish and create a sustainable framework 
and implementation plan. Many districts are currently working on this 
approach, and it is the intention of the authors of this paper to publish 
additional white papers to provide implementation guidance. 


Action Item #5 - Communicate 

The purpose and importance of ERM should be communicated to the 
entire district and community. Senior management should construct a 
communication process that ensures that key stakeholders are informed 
of progress and risk management results. Communication should be 
transparent and provide a foundation for ongoing monitoring and 
improvement. 
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Examples of how risk management monitors and documents results: 

• Regular reports to governance bodies (school board or committees) 

• Communications to internal and external stakeholders 

• Annual reports 

• Reports to regulators, financial agencies, or oversight bodies 

• Reports to risk financing organizations 

Action Item #6 - Apply Risk Management to Decision Making and 
Procedures 

Seek opportunities to apply the risk-based decision-making process to 
individual projects, problems, or opportunities. For example, an ERM 
process could help a district understand its best response to coping with 
an impending deficit in their food service program while continuing to 
provide desirable, hot, and nutritious meals and remaining compliant 
with regulations. The process won’t necessarily eliminate risk or guarantee 
an outcome, but it can help the district be better informed as it makes 
difficult decisions. 

Another example might apply to the problem of late bus runs. Imagine 
engaging multiple stakeholders in considering the implications of late bus 
runs on student attendance, instructional time, and operational efficiencies. 
A thorough review of sources, triggers, likelihood, consequences, and 
potential outcomes associated with late bus runs could engage stakeholders 
in identifying, assessing, evaluating, and treating the associated risks. 

Another opportunity to broaden one’s approach to risk management is 
to incorporate it into existing policies and procedures. Some examples 
might include project management, the budget process, performance 
management, management reports to financial rating agencies, and change- 
management procedures. 
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Action Item #7 - Establish Accountability and Performance Measures 


School districts should create performance measures, key risk indicators, 
and expected outcomes for how risk will be managed and clearly establish 
who is accountable for those outcomes. Departments such as transportation, 
food services, facilities, and safety and security utilize explicit performance 
metrics and are logical places to begin. The risk management group 
associated with the Council of the Great City Schools has begun to identify 
common denominators for measuring risk-management performance and 
build upon the preliminary list of ROI incorporated in this paper. 


Action Item #8 - Look Ahead 

Where does your district need additional coordination or communication 
about identifying and dealing with risk? School districts should establish 
greater collaboration between risk management activities and internal audit 
or similar functions within a district. Internal audit, for instance, serves 
an important function in ensuring that risk management is addressing a 
broad array of risks and contributing to successful outcomes. This may also 
include the review of key performance indicators and business management 
processes. 

ERM integrates consideration of risk into decision making at all levels of the 
organization. For a mature program, the risk management process should 
be integrated into key organizational processes such as strategic planning, 
performance and process management, internal control, compliance, and 
governance. 
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Conclusion and Call to Action 


We live in a world of uncertainty where the need for risk management 
has never been greater. Implementing ERM can help districts navigate 
that uncertainty. It provides a framework for strategic thinking, consistent 
management, continual improvement, and communication. It also specifies 
a process for assessing risk that supports strategy, goals and objectives. 

ERM is a practical model that helps prioritize all risks and brings focus to 
decisions and activities. Over time, implementing ERM will build resilience 
and preparedness for all stakeholders. 

It is important to recognize that ERM is an emerging practice among 
businesses, public entities, the federal government, and school districts in 
the United States. The ERM approach to managing risk is far-reaching and 
growing in support. For public school districts, implementing ERM can be 
a low-cost, high-yield strategy that improves the chances that we’ll be able to 
achieve our most important goal — the education of the next generation. 
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Appendix A: Best Practices 


Best Practices for a large urban school district to define and measure ERM 

performance: 

S The Risk Management function is at a senior staff level and reports 
directly to a cabinet level position within the school district. 

S The school district creates an annual strategic plan, which includes 
wording to capture the upside and downside of risk (or opportunities 
and threats) as it pertains to the strategic plan. 

S Newly created school district initiatives are evaluated from an ERM 
perspective, using a consistent risk analysis process to identify, prioritize, 
and manage potential threats and opportunities, assign risk owners, 
and track treatment. The ERM perspective considers the values 
and perceptions of key stakeholders and plans for communication, 
monitoring, and the review of key risks. 

S Risk Management goals are set and evaluated annually to assure support 
of the school district’s mission and vision statements. 

^ Risk Management discussions are included in cabinet meetings to assure 
that key internal stakeholders (for example, transportation, food services, 
facilities, special education, safety and security) are identifying and 
controlling risks within their respective operations. 

S The school district’s audit function coordinates with the district’s ERM 
program to audit prioritized risks and shares responsibility with the Risk 
Management function to assure successful outcomes. 

^ Risk Management monitors and documents the results of the school 
district’s ERM program by reporting out to regulators, financial agencies, 
and other outside organizations and stakeholders. 

S The school district has established specific return-on-investment (ROI) 
criteria for the creation and sustainability of its ERM program in order 
to benchmark and report on results. 
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